View Source

About The Device

The Zscaler Internet Access (ZIA) is a secure internet and web gateway delivered as a service from the cloud. Think of ZIA as a secure internet onramp—just make Zscaler your next hop to the internet via one of the following methods:

Setting up a tunnel (GRE or IPSec) to the closest Zscaler data center (for offices).
Forwarding traffic via our lightweight Zscaler Client Connector or PAC file (for mobile employees).

Device Information

Entity	Particulars
Vendor Name	Zscaler
Product Name	Internet Access
Type of Device	Cloud / Hosted

Collection Method

Cloud NSS:

Log Type	Ingestion label	Preferred Logging Protocol - Format	Log collection method	Data Source
Zscaler	ZSCALER_WEBPROXY	JSON	C2C-Push	https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-zscaler-webproxy-logs
Zscaler NGFW	ZSCALER_FIREWALL	JSON	C2C-Push	https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-zscaler-firewall-logs
Zscaler DNS	ZSCALER_DNS	JSON	C2C-Push	https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-zscaler-dns-logs
Zscaler Internet Access Audit Logs	ZSCALER_INTERNET_ACCESS	JSON	C2C-Push	https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-zscaler-internet-access-logs
Zscaler Tunnel	ZSCALER_TUNNEL	JSON	C2C-Push	https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-zscaler-tunnel-logs
Zscaler DLP	ZSCALER_DLP	JSON	C2C-Push	https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-zscaler-dlp-logs

VM NSS:

Log Type	Ingestion label	Preferred Logging Protocol - Format	Log collection method	Data Source
Zscaler CASB	ZSCALER_CASB	Syslog - Structured	CyberHub	https://cloud.google.com/chronicle/docs/ingestion/default-parsers/zscaler-casb

Port Requirements

Source	Destination	Port
Zscaler Internet Access	CyberHub	601 (TCP) (ZIA VM NSS)

To facilitate secure communication and align with our best practice, we strongly encourage the use of Transport Layer Security (TLS) between your security devices and our Adaptive MxDR platform for event forwarding.

While we understand that TLS support may not be available on all devices, if your devices do support TLS communication, we recommend utilizing port 6514 for seamless integration.

In some cases, the upgraded version of the device might incorporate TLS support without prior notice. If you come across such a scenario or for further assistance in configuring TLS, we kindly ask you to reach out to your dedicated Adaptive MxDR Service Delivery Lead.

Device Configuration

To Configure Zscaler for NSS Cloud

Configure the Cloud NSS Feed on ZIA Admin Portal
1. Feed Name: Enter or edit the name of the feed. Each feed is a connection between the NSS and Chronicle.
2. NSS Type:
  1. NSS for Web: Select this Type to ingest WebProxy Logs
  2. NSS for Firewall: Select this Type to ingest Firewall Logs
  3. NSS for Tunnel: Select this Type to ingest Tunnel Logs
3. Status: Enabled.
4. SIEM Rate: Unlimited.
5. SIEM Type: Other
6. OAuth 2.0 Authentication: Disabled
7. JSON Array Notation: Disabled.
8. Max Batch Size: 512 KB.
9. API URL: Endpoint URL provided by Adaptive MxDR Service Delivery Lead
10. HTTP Headers:
  1. Header 1: X-goog-api-key
  2. Value 1: API Key generated on GCP BYOP’s API Credentials. This will be provided by Adaptive MXDR Service Delivery Lead.
  3. Header 2: X-Webhook-Access-Key
  4. Value 2: API secret key generated on webhook. This will be provided by Adaptive MxDR Service Delivery Lead
11. Log Type:
  1. Web Log: Select this to ingest Web Logs. This LogType is subtype of NSS For Web NSS Type as mentioned in option b. above
  2. Admin Audit Logs: Select this to ingest Admin Audit Logs. This LogType is subtype of NSS For Web NSS Type as mentioned in option b. above
  3. Endpoint DLP: Select this to ingest Endpoint DLP Logs. This LogType is subtype of NSS For Web NSS Type as mentioned in option b. above
  4. Firewall Logs: Select this to ingest Firewall Logs. This LogType is subtype of NSS For Firewall NSS Type as mentioned in option b. above
  5. DNS Logs: Select this to ingest DNS Logs. This LogType is subtype of NSS For Firewall NSS Type as mentioned in option b. above
  6. Tunnel Logs: Select this to ingest Tunnel Logs. This LogType is subtype of NSS For Tunnel NSS Type as mentioned in option b. above
12. Feed Output Type: JSON
13. Feed Escape Character: ,\"
14. Feed Output Format: Keep the default value.
15. JSON Array Notation: Disabled
16. Timezone: Set UTC.

Save your settings and test your connectivity. You should see a green check mark with the message Test Connectivity Successful: OK (200). Above mentioned configuration is similar for all log types: Web, Firewall, DNS, Tunnel, DLP and Admin Audit Logs.

Please find below table for NSS types and their respective Log types for easier configuration.

NSS Type	Log Type
NSS for Web	Web Log Admin Audit Logs Endpoint DLP
NSS for Firewall	Firewall Logs DNS Logs
NSS for Tunnel	Tunnel Logs

To configure Zscaler for NSS VM

Zscaler NSS Feed configuration for Web and Firewall

Log in to the Zscaler Analytics Admin console.
Select Administration > Settings > Nanolog streaming service (NSS).
Select NSS feeds and click Add.
In Add NSS feed window, configure the following:
1. Feed name: Enter the feed name.
2. NSS type: Select either NSS for web or NSS for firewall based on requirements.
3. NSS name: Select NSS virtual machine (VM) that collects logs from the cloud (only one NSS VM can be mapped to a feed).
4. Status: Select Enabled to activate the feed.
5. SIEM IP: Enter the CyberHub IP address.
6. SIEM TCP port: Enter the port number 601 for TCP communication (Zscaler supports only TCP connection).
7. SIEM Rate: Leave as Unlimited
8. Log type: Select Web log or Firewall logs based on the NSS type selected (ensure to select all the sub-logtype if available).
9. Feed output type: Select Custom.
10. Feed output format: Refer Custom Feed Output Format for Web and Firewall NSS
11. Time zone: Select the UTC time zone (default time zone is GMT).
12. Duplicate logs: Enter the number of minutes that NSS takes to send the duplicate logs (select the time based on requirements).
13. Transactions filters: There are various parameters available based on which you can filter the logs sent by the NSS Virtual machine.
  1. Configure SECURITY filter For WEB Logs:
    - Navigate to Filter and select SECURITY
    - Select Malware Classes, Malware Names and Advanced Threat as ANY. By default - it will be NONE and will not forward threat based logs.
  2. Configure SECURITY filter For FW Logs:
    - Navigate to Filter and select SECURITY
    - Select Threat Name and Advanced Threat Category as ANY. By Default - it will be NONE and will not forward threat based logs
14. Click save and activate the configurations.

5. Custom Feed Output Format for Web and Firewall NSS

In the Feed output format field, use the following format:

Custom format for Web Feed:

|ZSCALER|DATE|%s{mon} %d{dd} %02d{hh}:%02d{mm}:%02d{ss}|NSSFEEDIP|%s{nsssvcip}|CLIENTINTIP|%s{cintip}|RECORDID|%d{recordid}|LOGINNAME|%s{login}|PROTOCOL|%s{proto}|URL|%s{url}|HOST|%s{host}|ACTION|%s{action}|REASON|%s{reason}|RISKSCORE|%d{riskscore}|APPNAME|%s{appname}|APPCLASS|%s{appclass}|REQSIZE|%d{reqsize}|RESPSIZE|%d{respsize}|CTIME|%d{ctime}|URLCLASS|%s{urlclass}|SUPERCAT|%s{urlsupercat}|URLCAT|%s{urlcat}|MALWARECAT|%s{malwarecat}|MALWARECLASS|%s{malwareclass}|THREATNAME|%s{threatname}|FILETYPE|%s{filetype}|FILECLASS|%s{fileclass}|DLPENGINE|%s{dlpeng}|DLPDICT|%s{dlpdict}|BWTHROTTLE|%s{bwthrottle}|LOCATION|%s{location}|DEPARTMENT|%s{dept}|CLIENTIP|%s{cip}|DESTINATIONIP|%s{sip}|REQMETHOD|%s{reqmethod}|RESPCODE|%s{respcode}|USERAGENT|%s{ua}|REFERER|%s{referer}|MD5HASH|%s{bamd5}|DLPRULENAME|%s{dlprulename}|DLPMD5|%s{dlpmd5}|DLPIDENTIFIER|%d{dlpidentifier}|DLPDICTHITCOUNT|%s{dlpdicthitcount}|\n

Custom format for Firewall Feed:

|ZSCALERFIREWALL|DATE|%s{mon}%d{dd} %02d{hh}:%02d{mm}:%02d{ss}|CLIENTIP|%s{csip}|RECORDID|%d{recordid}|LOGINNAME|%s{login}|PROTOCOL|%s{ipproto}|ACTION|%s{action}|DESTINATIONIP|%s{cdip}|SOURCEPORT|%d{csport}|DESTINATIONPORT|%d{cdport}|CLIENTTUNIP|%s{tsip}|CLIENTTUNPORT|%d{tsport}|LOCATION|%s{location}|DEPARTMENT|%s{dept}|DESTINATIONCOUNTRY|%s{destcountry}|INCOMINGBYTES|%ld{inbytes}|NETWORKAPP|%s{nwapp}|NETWORKSVC|%s{nwsvc}|RULELABEL|%s{rulelabel}|NATTING|%s{dnat}|SESSIONDURATION|%d{duration}|AGGREGATEDSESSION|%d{numsessions}|AVERAGEDURATION|%d{avgduration}|TUNNELTYPE|%s{ttype}|SERVERDESTPORT|%d{sdport}|SERVERSOURCEIP|%s{ssip}|SERVERSOURCEPORT|%d{ssport}|IPCAT|%s{ipcat}|\n

Integration Parameters

ZIA Cloud NSS: Integration via Webhook - Configure Webhook on Google Chronicle Instance.

ZIA VM NSS:

Property	Default Value	Description
IP Address	Zscaler Internet Access interface IP address	Hostname or IP address of the device which forwards logs to the CyberHub